Vadim Lyubashevsky Cryptography Allows for secure communication in the presence of malicious parties 2 Cryptography Allows for secure communication in the presence of malicious parties 3 Cryptography ID: 540239 Download Presentation
Download Presentation  The PPT/PDF document "LatticeBased Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, noncommercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentation on theme: "LatticeBased Cryptography"— Presentation transcript
Slide1
LatticeBased Cryptography
Vadim
LyubashevskySlide2
Cryptography
Allows for secure communication in the presence of malicious parties
2Slide3
Cryptography
Allows for secure communication in the presence of malicious parties
3Slide4
Cryptography
Allows for secure communication in the presence of malicious parties
4Slide5
SymmetricKey Cryptography
Secret key = sSlide6
SymmetricKey Cryptography
Secret Key = s
Secret Key = s
Will still exist if quantum computers are builtSlide7
PublicKey Cryptography
Secret Key = s
Public Key = pSlide8
PublicKey Cryptography
Secret Key = s
Public Key = p
Public Key = p
Public Key = pSlide9
Mathematical
Assumptions
for
PublicKey Cryptography
N
=pq
gx=y mod p
Factoring is hard
Computing discrete logs is hard
Mostly problems from number theory
All broken once a quantum computer is built
9Slide10
Consequence of Quantum ComputingCurrent public key schemes will be broken
Quantum computers will recover all of
today’s
secrets10
+
=Slide11
Consequence of Quantum ComputingNeed to eventually migrate all internet security to quantumresistant
schemes
Do it only once!
11Slide12
Assumptions
for
QuantumResilient PublicKey Cryptography
N
=pq
gx=y mod p
Factoring is hard
Finding short vectors in lattices is hard
Computing discrete logs is hard
(
f,g
) in Z[x]/(x
n
+1)
12Slide13
Ultimate Goal
Construct practical, quantumresilient cryptography
for every device
13Slide14
The Critical Schemes14
Digital Signatures
Key Exchange
(Public Key Encryption)Slide15
Practical LatticeBased Constructions
Key Exchange:
NTRU publickey encryption (1998)
RingLWE publickey encryption (2010)Digital Signatures:Recent (2013) schemes (e.g. BLISS)
15Slide16
16Lattice Cryptography ≈ Knapsack Cryptography
(done correctly)Slide17
The subset sum (knapsack) ProblemSlide18
a
i
,
T in ZM
ai are chosen randomly
T is a sum of a random subset of the aia1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Subset Sum ProblemSlide19
a
i
,
T in Z49
ai are chosen randomly
T is a sum of a random subset of the ai15 31 24 3 14 1115 + 31 + 14 = 11 (mod 49)Subset Sum ProblemSlide20
How Hard is Subset Sum?
a
i
,
T in ZM
a1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Hardness Depends on:Size of n and MRelationship between n and MSlide21
Complexity of Solving Subset Sum
M
runtime
2
log²(n)
2
n
2
n log(n)
2
n²
poly(n)
2
Ω(n)
poly(n)
“generalized birthday attacks”
[FlaPrz05,Lyu06,Sha08]
“lattice reduction attacks”
[LagOdl85,Fri86]
2
cnSlide22
Subset Sum is “Pseudorandom”Slide23
“Computationally Indistinguishable”DY
Y
1
Y2…Yk…
DX
X1X2…Xk…D?
Z1Z2…Zk…
=
?
=?Slide24
Subset Sum is “Pseudorandom”
[
ImpagliazzoNaor
1989]:
For random a1,...,a
n in ZM and random x1,...,xn in {0,1},distinguishing the distribution(a1,...,an, a1x1+...+anxn mod M) from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xnSlide25
What About PublicKey Encryption?
Many early attempts
None of them had proofs of security
All seem to be brokenSlide26
Cryptosystem based on subset sum[L, Palacio,
Segev
2010]Slide27
Facts About Addition
4
2
9
1
32
8
Adding n numbers (written in base q) modulo
q
m
→
carries < n
If
q>n ,
then Adding with carries
≈
Adding without carries
(i.e. in Z
M
) (i.e. in
Z
q
n
)
4 6 7 9
3 9 0 7
8 4 6 5
1 3 4 3
4
7
2
6
4 6 7 9
3 9 0 7
8 4 6 5
1 3 4 3
Want to add
4679
+
3907
+
8465
+
1343
mod 10
4Slide28
So...
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 18 1 1 9
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 1
+
2 1 1 0
0 2 2 9
=
=
NOT Pseudorandom!
Pseudorandom based on Subset Sum!Slide29
Column Subset Sum Addition
Is Also Pseudorandom
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3110111
10
09
80
+
=Slide30
“Hybrid” Subset Sum Addition Is Also Pseudorandom
4 6 7 9 0
3 9 0 7 9
8 4 6 5 8
1 6 4 3 0
1 0 0 1+
1 1 1 0 0
6 3 2 2 0
=
pseudorandom Slide31
Encryption Scheme
A
s
t
=
+At
r
+
u
v
=
Public Key
{0,1}
n
{0,1}
n
Z
q
n x n
0
m
+Slide32
Encryption Scheme
A
s
t
=
+At
r
Is pseudorandom based on the hardness
of
the subset sum problem
+
u
v
=
0
m
+Slide33
Encryption Scheme
A
s
t
=
+At
r
v
A
s
+
r
+
A
s
r
A
s
r
+
A
s
=
=
+
u
v
=
0
m
+
+
m
+
mSlide34
Encryption Scheme
A
s
t
=
+At
r
u
s
A
r
s
=
+
A
r
s
+
=
≈
v
+
u
v
=
0
m
+

mSlide35
u
s
v

=
Encryption SchemeAs
t
=
+
A
t
r
+
u
v
=
0
m
+
+
m
represent 0 by m=0
represent 1 by m=(q1)/2Slide36
Cryptosystem based on LWE[
Regev
2005]Slide37
Encryption Scheme
(what we needed)
A
s
t
=+At
r
Pseudorandom
“small”
+
u
v
=
0
m
+Slide38
Picking the “Carries” In Subset Sum: carries were deterministicWhat if … we pick the “carries” at random from some distribution?Slide39
So...
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 1
+
2 1 1 0
0 2 2 9
=
Pseudorandom
based
on
Subset Sum
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
2 3 0 1
+
1 3 2 1
7 2 0 3
=
Pseudorandom based on
LWE
[
Reg
‘
05
]Slide40
(Decision) LWE Problem
. . .
a
1
a
2
s
+
e
=
b
World 1
. . .
a
2
a
1
a
m
b
uniformly random in Z
p
m
World 2
Theorem [
Regev
'05] : There is a polynomialtime quantum reduction from solving certain lattice problems in the worstcase to solving LWE.
a
mSlide41
LWE vs. Subset SumThe Subset Sum assumption has “deterministic noise” (is this useful for anything?)
The LWE assumption is more “versatile”
. . .
a
1
a
2
a
m
s
+
e
=
b
LWE Problem
n
2
n
s
+
=
b
Subset Sum Problem
n
2
a
2
a
1
a
n
…
EASY !!
nSlide42
LWE / Subset Sum Encryption
A
s
t
=
+At
r
nbit Encryption
HaveWant
Public Key SizeÕ(n)O(n)Secret Key SizeÕ(n)
O(n)Ciphertext Expansion
Õ(n)
O(1)
Encryption Time
Õ(n
3
)
O(n)
Decryption Time
Õ(n
2
)
O(n)
+
u
v
=
0
m
+Slide43
Cryptosystem based on RingLWE[L, Peikert, Regev 2010]Slide44
Source of Inefficiency of LWE
+
=
Getting
n
extra randomlooking numbers (i.e. t) from a secret s
requires n2 random
numbers (i.e. A) and an error vector
Wishful thinking: get
n
random numbers and produce
n
pseudorandom
numbers in “one shot”
2
8
7
3
*
1
0
2
1
A
s
t
=
+Slide45
Use Polynomialsf(x) is a polynomial
x
n
+ an1xn1 + … + a1x + a0R = Zp[x]/(f(x)) is a polynomial ring with
Addition mod pPolynomial multiplication mod p and f(x)Each element of R consists of n elements in ZpIn R:
small+small = small small*small = small (depending on f(x) ) Slide46
RingLWE cryptosystem
a
s
t
r
au
r
t
v
v
u
s
+
+
+
=
=
=

r
t
+
r
a
+
s
r
a
s
+
+
r
a
+
s
r
+
s
=



=
Public Key
m
+
m
+
m
+
m
+
Secret Key
Encryption
Decryption
m
+Slide47
Security
a
s
t
r
au++=
=
Pseudorandom??
r
t
v
+
=
m
+Slide48
Decision Learning With Errors over Rings
a
1
a
2
a3…am
s
b
1
b
2
b
3
…
b
m
+
=
a
1
a
2
a
3
…
a
m
b
1
b
2
b
3
…
b
m
Theorem
[LPR ‘10]: In
cyclotomic
rings,
there is a quantum reduction from solving worstcase problems in ideal lattices to solving DecisionRLWE
World 1
World 2Slide49
Security
a
s
t
r
au++=
=
Pseudorandom based on Decision RingLWE!!
r
t
v
+
=
m
+Slide50
RingLWE Encryption
a
s
t
r
au
+
+=
=nbit Encryption
From LWE From RingLWEPublic Key SizeÕ(n)
Õ(n)Secret Key Size
Õ(n)
Õ(n)
Ciphertext
Expansion
Õ(n)
Õ(1)
Encryption Time
Õ(n
3
)
Õ(n)
Decryption Time
Õ(n
2
)
Õ(n)
r
t
v
+
=
m
+Slide51
Where are the lattices?51Slide52
Subset Sum and Lattices
An integer lattice is an additive subgroup of
Z
na1 a2 a3 …
an T =
mod M for xi in {0,1}a = (a1, a2, … , an, T)L(a) = {y in Zn+1 : a∙y = 0 mod M}Notice that x=(x1, x2, … ,xn,1) is in L(a)x <
Slide53
Connection to LatticesFinding short vectors in lattices implies:
Solving subset sum Solving LWE Solving RingLWE
Basically breaking all of “lattice crypto”Interesting part: There are proofs in the other direction53Slide54
Connection to LatticesSolving LWE
For all lattices
, determining whether a lattice has a short vector (GapSVP) via a classical reduction
For all lattices, finding n linearlyindependent short vectors (SIVP) via a quantum reductionSolving RingLWE over the ring Zq[x]/(f(x))
For all ideals of Z[x]/(f(x)), finding a short vector (IdealSVP) via a quantum reduction54Slide55
Purpose of Proofs in PracticeProofs guide us to the “correct design”
Sometimes the “correct design” is surprising
Example:
We know decision problems are easy in the ring Z[x]/(xn1) because x1 is a factorTrying to get a security reduction led us to choose a polynomial f(x) irreducible over the integers
But working over the ring Zq[x]/(f(x)) where f(x) factors completely over Zq is OK – even sometimes necessary!
55Slide56
Getting a Usable SchemeSetting exact parameters is trickier
If
we follow the proof, may be too inefficient
If we deviate, we may be less secureNeed to have a feeling for what’s importantNo substitute for cryptanalysisProofs tell the cryptanalyst what to concentrate on
56Slide57
SummaryPractical designs for all the basic schemes
Publickey encryption
Digital signatures Identitybased encryptionPolynomialtime constructions for many other schemes Group signatures Fullyhomomorphic encryption Attributebased encryption
Many others 57
Authenticated key exchangeThe only publickey primitive really needed on the internetSlide58
Some Research Directions
Polynomialtime constructions for many other schemes
Group signatures Fullyhomomorphic encryption Attributebased encryption Many others
58
Come up with much better designsSlide59
Some Research Directions59
P
ractical designs for all the basic schemes
Publickey encryption Digital signatures Identitybased encryption
Authenticated key exchange
Cryptanalysis Efficient (quantum) algorithm for finding short vectors in ideal lattices? If yes, then the hardness foundation is in question What is the best (quantum) algorithm for RingLWE? Need this to set concrete parametersSlide60
Some Research Directions60
P
ractical designs for all the basic schemes
Publickey encryption Digital signatures Identitybased encryption
Authenticated key exchange
Standardization Algorithmic problems (e.g. efficient sampling) Want TLS and IKE to use lattices (and use them well) Many tradeoffs between speed/size possible Resourceconstrained devices Standards may need to be “applicationdriven” Slide61
THANK YOU
61